[PATCH] ldb: Fix index out of bound in ldb_msg_find_common_values

Wed Jul 5 13:33:57 UTC 2017

ehlo,

I noticed failure[1] when I was packaging libldb-1.2.0 to fedora
which was required for samba-4.7.0rc1. And I was quite lucky that
it failed at least for i386 :-)

I did not noticed it with 1.1.31 because unit tests were not executed as part
of build due to other issues.

LS

[1] https://koji.fedoraproject.org/koji/taskinfo?taskID=20322524
-------------- next part --------------
From 68e9da7bc4049b1a2080d07324cc26eebe5ee55b Mon Sep 17 00:00:00 2001
From: Lukas Slebodnik <lslebodn at redhat.com>
Date: Tue, 4 Jul 2017 15:46:49 +0200
Subject: [PATCH] ldb: Fix index out of bound in ldb_msg_find_common_values

cmocka unit test failed on i386
[==========] Running 2 test(s).
[ RUN      ] test_ldb_msg_find_duplicate_val
[       OK ] test_ldb_msg_find_duplicate_val
[ RUN      ] test_ldb_msg_find_common_values
[  FAILED  ] test_ldb_msg_find_common_values
[==========] 2 test(s) run.
[  ERROR   ] --- 0x14 != 0
[   LINE   ] --- ../tests/ldb_msg.c:266: error: Failure!
[  PASSED  ] 1 test(s).
[  FAILED  ] 1 test(s), listed below:
[  FAILED  ] test_ldb_msg_find_common_values
 1 FAILED TEST(S)

But we were just lucky on other platforms because there is
index out of bound according to valgrind error.

==3298== Invalid read of size 4
==3298==    at 0x486FCF6: ldb_val_cmp (ldb_msg.c:95)
==3298==    by 0x486FCF6: ldb_msg_find_common_values (ldb_msg.c:266)
==3298==    by 0x109A3D: test_ldb_msg_find_common_values (ldb_msg.c:265)
==3298==    by 0x48E7490: ??? (in /usr/lib/libcmocka.so.0.4.1)
==3298==    by 0x48E7EB0: _cmocka_run_group_tests (in /usr/lib/libcmocka.so.0.4.1)
==3298==    by 0x1089B7: main (ldb_msg.c:352)
==3298==  Address 0x4b07734 is 4 bytes after a block of size 48 alloc'd
==3298==    at 0x483223E: malloc (vg_replace_malloc.c:299)
==3298==    by 0x4907AA7: _talloc_array (in /usr/lib/libtalloc.so.2.1.9)
==3298==    by 0x486FBF8: ldb_msg_find_common_values (ldb_msg.c:245)
==3298==    by 0x109A3D: test_ldb_msg_find_common_values (ldb_msg.c:265)
==3298==    by 0x48E7490: ??? (in /usr/lib/libcmocka.so.0.4.1)
==3298==    by 0x48E7EB0: _cmocka_run_group_tests (in /usr/lib/libcmocka.so.0.4.1)
==3298==    by 0x1089B7: main (ldb_msg.c:352)

Signed-off-by: Lukas Slebodnik <lslebodn at redhat.com>
---
 lib/ldb/common/ldb_msg.c | 10 +---------
 1 file changed, 1 insertion(+), 9 deletions(-)

diff --git a/lib/ldb/common/ldb_msg.c b/lib/ldb/common/ldb_msg.c
index abad5a8320551c09e64539b993b8c5408ccdd32a..8e4047b41beebcadeab9631bc820941f0eadc490 100644
--- a/lib/ldb/common/ldb_msg.c
+++ b/lib/ldb/common/ldb_msg.c
@@ -262,20 +262,12 @@ int ldb_msg_find_common_values(struct ldb_context *ldb,
 	n_values = el->num_values;
 	i = 0;
 	j = 0;
-	while (i != n_values) {
+	while (i != n_values && j < el2->num_values) {
 		int ret = ldb_val_cmp(&values[i], &values2[j]);
 		if (ret < 0) {
 			i++;
 		} else if (ret > 0) {
 			j++;
-			if (j == el2->num_values) {
-				/*
-				  We have walked past the end of the second
-				  list, meaning the remainder of the first
-				  list cannot collide and we're done.
-				*/
-				break;
-			}
 		} else {
 			/* we have a collision */
 			if (! remove_duplicates) {
-- 
2.13.0

